ONTAP Discussions

OKM first, EKM later - asking for advices - gotchas to know before!

JFM

Hi to you all, 

One of our customers is starting the technical architecture planning for their new A400 units that they got with the multi-tenant feature license with SED drives. The customer will be hosting two different environments on their A400, on top of the SED drives, one of the environments will be using NVE on the volumes. For encryption keys management, the customer wanted to use an external solution but found out their HSM solution isn't ready, lacks enough client licenses and needs to be upgraded/refreshed. Instead, the customer will be using the Onboard Key Management first. When the external solution will be ready, he'd like to make the switch. Separate SVM will be created in order to enable multitenancy management. 

Reading through the NetApp docs, there is a procedure to switch from one solution to another, involving decrypting all the NVE volumes. I worry about SED drives handling... What advice would you give to this customer?

We are at the initial steps in the planning process, a major roadblock in the future could put the HSM upgrade a mandatory step before starting the A400 deployment. 

 

Thanks for your feedback!

 

Presales SE at ESI Technologies
1 ACCEPTED SOLUTION

Lacem

Each drive contains the encryption logic in the FW on the drive. I am not 100% sure about the private keys, I assume they are unique to each drive. (Just my assumption)

 

As to ONTAP, you can create a NSE-AK (NetApp Storage Encryption Authentication Key) which will be used to lock the drive should power cycle occur. This key can be applied to all drives which is the common trend I see in the field. 

 

This may talk more about it:

https://www.netapp.com/pdf.html?item=/media/7563-ds-3213-en.pdf&v=20209390

View solution in original post

6 REPLIES 6

Lacem

There is a command to migrate existing keys that leverage Onboard Key Management (OKM) to External Key Management (EKM)

 

See here for key migrate command:
https://docs.netapp.com/ontap-9/index.jsp?topic=%2Fcom.netapp.doc.dot-cm-cmpr-980%2Fsecurity__key-manager__key__migrate.html

 

As to drives that leverage a key, before any maintenance I always recommend to unlock them. Its much easier to rekey a drive than it is to recover a locked drive due to missing NSE-AK. 

 

To unlock drives run the following:

::>set adv 
::*>storage encryption disk modify * -fips-key-id 0x0 

::*>storage encryption disk modify * -data-key-id 0x0

JFM

Thanks for your reply... by unlocking SED drives before doing any maintenance... should I understand that by doing so, data on the drives will be decrypted? It's not clear to me what "unlock a SED drive"... if the data is actually decrypted... long operation I guess? also, data would be put in clear (unless the NVE stays in place). 

Presales SE at ESI Technologies

Lacem

Self Encrypting Drives (SEDs) encrypt on the drives themselves, therefore applying or removing a key is fairly instant and has no bearing on the data contained within. 

 

So, whether a key manager is in place or not, does not really matter as the data is still encrypted on the individual drives. The authentication key, which is managed by a key manager, is applied to a drive as a means of power loss protection. 

JFM

Oh, that's quite different... I thought the SED drives were using the key for data encryption... just like for NVE... it seems the key are unique to each drives... right?

Presales SE at ESI Technologies

Lacem

Each drive contains the encryption logic in the FW on the drive. I am not 100% sure about the private keys, I assume they are unique to each drive. (Just my assumption)

 

As to ONTAP, you can create a NSE-AK (NetApp Storage Encryption Authentication Key) which will be used to lock the drive should power cycle occur. This key can be applied to all drives which is the common trend I see in the field. 

 

This may talk more about it:

https://www.netapp.com/pdf.html?item=/media/7563-ds-3213-en.pdf&v=20209390

JFM

Thanks for the reply. This helps a lot. 

Presales SE at ESI Technologies
Public